eBook - ePub
Auditing Information and Cyber Security Governance
A Controls-Based Approach
Robert E. Davis
This is a test
Share book
- 284 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Auditing Information and Cyber Security Governance
A Controls-Based Approach
Robert E. Davis
Book details
Book preview
Table of contents
Citations
About This Book
"A much-needed service for society today. I hope this book reaches information managers in the organization now vulnerable to hacks that are stealing corporate information and even holding it hostage for ransom."
– Ronald W. Hull, author, poet, and former professor and university administrator
A comprehensive entity security program deploys information asset protection through stratified technological and non-technological controls. Controls are necessary for counteracting threats, opportunities, and vulnerabilities risks in a manner that reduces potential adverse effects to defined, acceptable levels. This book presents a methodological approach in the context of normative decision theory constructs and concepts with appropriate reference to standards and the respective guidelines. Normative decision theory attempts to establish a rational framework for choosing between alternative courses of action when the outcomes resulting from the selection are uncertain. Through the methodological application, decision theory techniques can provide objectives determination, interaction assessments, performance estimates, and organizational analysis. A normative model prescribes what should exist according to an assumption or rule.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Auditing Information and Cyber Security Governance an online PDF/ePUB?
Yes, you can access Auditing Information and Cyber Security Governance by Robert E. Davis in PDF and/or ePUB format, as well as other popular books in Negocios y empresa & Auditoría. We have over one million books available in our catalogue for you to explore.
Information
Chapter 1
Security Governance
Abstract
Dependence on information by for-profit and not-for-profit organizational formations continues to expand. However, distinguishing information security from cybersecurity is a perspective issue. Contextually, information security means protecting information and information systems from unauthorized access, use, disclosure, modification, disruption, and destruction. In contrast, cybersecurity focuses on protecting IT that acquires, stores, manipulates, manages, moves, controls, displays, switches, interchanges, or transmits digitally encoded data. In contrast, Information Security Governance (ISG) necessitates taking the expanded view that the entity’s data, information, and derived knowledge must receive appropriate protection without regard to the acquisition, handling, processing, transport, or storage method. Chapter 1 focuses on the effect of entity governance, ISG, and Cyber Security Governance as management tools for appropriate information and technology security.
Introduction
Information usually obtains value when considered usable in decision-making (Davis, 2008a). Security is a prominent component within organizational governance that enables fulfilling a stakeholder expectation (Brotby, 2009; Davis, 2017; Flores et al., 2014). Part of the stakeholder security expectation is satisfied through appropriate Information Security Governance (ISG; Davis, 2008a, 2013). Properly constructed and implemented, ISG supports stakeholder expectations concerning management’s explicit or implicit fiduciary responsibilities (Davis, 2008a, 2011, 2017).
Loyalty to the person or group (i.e., principal) tasking the duty is a fiduciary expectation (Davis, 2008a). Consequently, personal interests do not supersede a fiduciary duty, and the fiduciary must not profit from the position unless the principal consents (Davis, 2008a). Therefore, a fiduciary should avoid engaging in activities where personal interests and fiduciary duty are conflictive and situations where the fiduciary duty conflicts with another fiduciary duty (Davis, 2008a). Moreover, a fiduciary should not seek personal benefit from the fiduciary position without expressing principal knowledge and consent (Davis, 2008a).
Control is the exercise of directing or restraining influence (Avison, 2007). An organization’s information security controls comprise the procedures adopted or devised to furnish management with some degree of comfort regarding the achievement of protection objectives for information assets. An entity’s management should, and in several countries do, have a legal responsibility to implement adequate control systems for preventing, detecting, and conditionally correcting errors, mistakes, omissions, irregularities, and illegal acts (Davis, 2006, 2008a).
ISG should address creating and implementing a “system of security controls” that enable ethical and legal managerial responsibilities fulfillment for information assets protection (IAP). Ethically, management must protect an entity’s information assets from potential internal and external threats that can compromise confidentiality, integrity, or availability in order to preserve organization, presentation, and utilization value (Ahmad et al., 2014; Brotby, 2006; Davis, 2008a, 2017; Whitman & Mattord, 2012). Legally, within an entity’s information security control system, explicitly or implicitly, management as fiduciary agents are responsible and accountable for deploying controls that prevent, deter, detect, and correct unacceptable actions (Davis, 2008a).
Management’s information systems related to due care drives appropriate information security due-diligence activities that emanate from fiduciary responsibilities (Boyson, 2014; Davis, 2008a, 2017; Whitman & Mattord, 2012). Instituting and sustaining information safeguarding necessitate a comprehensive program addressing cyber threats that can thwart organizational mission achievement (Ahmad et al., 2014; Davis, 2017; Kushwaha, 2016; Mohare & Lanjewar, 2012). Information security breaches can originate from external or internal actions (Crossler et al., 2013; Davis, 2017; Silic & Back, 2014). Therefore, responsible information technology (IT) manager-leaders should ensure ethical behavior by every individual interacting with the organization’s information systems through effectual ISG (Boyson, 2014; Davis, 2017). However, organizational IAP breaches have decreased value appropriation (Clark & Harrell, 2013; Silic & Back, 2014).
IAP should be an entity’s uppermost concern because IT security incidents can compromise the confidentiality, integrity, or availability of financial and operational systems (Davis, 2008a). Sources of IAP threats can be a person, thing, or event (Davis, 2008a). Scholars and practitioners have synopsized that information security is no longer mainly a technology issue needing operational IT personnel handling but rather more of a governance concern (Davis, 2017; Julisch, 2013; Mohare & Lanjewar, 2012; Whitman & Mattord, 2012).
No single theoretical or practice approach can encompass organizational governance diversity. The Governance Tree framework aims to mobilize and facilitate applying a controls approach in a shared practitioner program while increasing comparability reflecting different scholarly perspectives. The framework allows scholars and practitioners to investigate and apply the drivers, forms, causal mechanisms, and organizational governance pathways, considering the effects on regulatory capacity, performance, and outcomes. This chapter presents the discernible ISG perspectives and evolution. The discussions in this chapter also define cybersecurity reflecting a contextually based understanding and Cyber Security Governance integration insights. Moreover, this chapter advances the organizational governance research agenda by illustrating the Governance Tree framework’s applicability within empirical contexts.
Governance Perspectives
Organizational governance can supply a framework for ethical decision-making and managerial action predicated on transparency, accountability, and defined roles (Marnewick & Labuschagne, 2011). Implicit expectations for effective governance reside in the fiduciary relationship between stakeholders’ and organizational managements’ adherence to shared morality values (Davis, 2008a, 2017). Morality values link to principles and standards (Bagozzi et al., 2009; Northouse, 2013). Values of stakeholders and managements typically address morality regarding overall image perceptions and detailed edicts consisting of regulatory guides for behavior (Bagozzi et al., 2009; Ferrell, 2005). Internationally, a fiduciary duty is considered the highest care standard imposed through law or equity (Davis, 2008a).
Fiduciary relationship establishment may be an expectancy by the entrusting party or decreed by law or regulation (Davis, 2008a). Commonly, fiduciary relationships can exist for professionals, agents, executors, trustees, guardians, and entity employees (Brotby, 2006; Davis, 2008a). Salient fiduciary relationship features are loyalty, good faith, and trust at the entity employee level (Davis, 2008a). Loyalty is faithfulness to the obligating principal (Davis, 2008a). Good faith represents a veracious intention to abstain from taking unfair advantage of another (Davis, 2008a). Trust reflects confidence reposed in one person to manage or safeguard entrusted property for another’s benefit (Davis, 2008a).
Ethical values affect fiduciary loyalty, good faith, and trust. As a set of moral principles, ethics can represent the science of social duty or rules of responsibility drawn from personal duty science (Davis, 2008a). Additionally, ethics can reference a system of rules and principles concerning the duty or the practice linking a social action class (Davis, 2008a). Deontological ethics only considers rational judgments in determining if an action is right or wrong (Bagozzi et al., 2009; Northouse, 2013). In contrast, teleological ethics for a decision to act considers potential outcomes, and virtue ethics focuses primarily on moral character aspects (Bagozzi et al., 2009). Commonly ethical behavior sustains principle– agent fiduciary relationships (Davis, 2008a).
Integrity values also affect fiduciary loyalty, good faith, and trust (Davis, 2008a). Integrity can be considered a set of moral values that reflect the state or quality encompassing honesty, moral principles, uprightness, and sincerity (Davis, 2008a). Typically, integrity results when individuals receive high ethical and behavioral standard communications and practice enforcement (Davis, 2008a). Organizational integrity standards should include administrative actions for removing or reducing incentives and temptations that might prompt employees to engage in dishonest, illegal, or immoral behavior (Davis, 2008a). Organizational governance is a means to attempt controlling contemptible individual and group actions to benefit entity continuity.
Governance assists in satisfying stakeholder expectations concerning managerial responsibilities (Davis, 2008a, 2017). Stakeholder identification (Gil-Lafuente & Paula, 2013) and applying value analysis (Harrison & Wicks, 2013) assist in assessing entity-level strategy and organizational culture alignment (Davis, 2017). Derivatively, the alignment of stakeholder values and organizational values depends on effectively and efficiently pursuing the defined mission while strictly adhering to espoused entity values (Davis, 2017). Alignment exists and is sustainable considering stakeholder values when an entity can furnish products or services supporting acceptable value creation (Chou, 2015; Davis, 2017; Di Gregorio, 2013) and value appropriation (Davis, 2017; Di Gregorio, 2013). Stakeholder value creation and appropriation are derivable from the relevance and quality of products and services, affiliation utility, organizational justice cognitions, and opportunity cost perceptions (Harrison & Wicks, 2013). Values alignment construct deviation by organizational management could result in stakeholder dissatisfaction generating perceptions that competitors offer a stronger value proposition (Davis, 2017).
Information assets contain or can contain data (Davis, 2012, 2017) that may be subject to dishonest, illegal, or immoral behavior. Organizational management needs to address IAP at the governance level to mitigate technology deployment informational risks (Davis, 2017; Yaokumah, 2013). However, the managerial perspective for ISG has diverging views concerning accountability (Williams et al., 2013). On the one hand, some practitioners and scholars considered ISG responsibilities to be an IT governance accountability subfunction (Gheorghe, 2010). On the other hand, some practitioners and scholars considered ISG to have discrete function accountability to those responsible for entity governance (Williams et al., 2013).
Without regard to whether management views ISG as a program directly supporting entity governance or an IT governance program subset, IAP is necessary (Davis, 2017). In meeting the needed IAP, information security perspectives must address managerial and technical aspects (Silic & Back, 2014). An adaptive balance between rational management and applied technology enables appropriate information security (Ahmad et al., 2014; Brotby, 2006; Davis, 2017; Safa & Von Solms, 2016). Organizational management’s development and deployment of reasonable information security policies and procedures permit ensuring appropriate IAP, while efficaciously applied information security technology can increase IAP effectiveness in addressing potential internal and external threats (Ahmad et al., 2014; Davis, 2017).
Rational Management
Management is the act of achieving organizational objectives through the use of available resources. In other words, management is an interactive function that entails planning, organizing, orchestrating, directing, and controlling activities in an organizational setting (Davis, 2008a; Kotter, 2001; Maccoby, 2000; Northouse, 2013). Sound management practice approach to IAP is unavoidable given information systems and associated technology continue increasing in complexity (Bahl & Wali, 2014; Davis, 2008a).
Typically, primary purposes of information systems are useful data collection, reliable input processing, and timely output dissemination (Davis, 2008a). Information systems’ integration design and deployment should include appropriate control measures to achieve management’s objectives (Davis, 2008a). A controls-based approach for information systems operates according to a prescribed or bounded set of criteria. Therefore, an entity’s management should consider IAP as a service requirement that ensures expected delivery and support by applying relevant information criteria (Davis, 2008a). An entity’s information delivery and support deployment should adequately address effectiveness, efficiency, confidentiality, integrity, availability, compliance, and reliability criteria (Davis, 2008a), where the generally accepted principles for information security are confidentiality, integrity, and availability (Arief et al., 2015; Samonas & Coss, 2014).
Classically, managers receive assignments to function at various authority, responsibility, and accountability levels (Davis, 2008a). Managerial authority, responsibility, and accountability delegation usually occur after considering the following facts:
- Authority provides the power or right to give commands, enforce obedience, initiate action, or make final decisions (Davis, 2008a, 2011). How organizational assignments occur as well as how reporting relationships and authorizatio...